2011 - The year without holidays

20 Jan 2011

This article was first published in Data Protection Law & Policy in January 2011

Legislators, regulators and privacy professionals are set for a very busy year ahead. Serious legislative developments are always likely to bring with them some uncertainty and turmoil. But when these changes are directly affected by an ongoing technological transformation and complemented by the relentless actions of keen regulators, we know we face something just short of a revolution. That’s precisely what the year ahead looks like, so here’s a brief guide to 2011 – the year without holidays.

The Article 29 Working Party kicked off the year by publishing a much awaited Opinion on the rules that determine the applicability of European data protection law. The publication of the 34-page long Opinion felt like being presented with an extremely elaborate main course before one could even sit at the table. Probably a taste of things to come later on. Interestingly, the Working Party did not simply carry out a thorough interpretation of the law, but went on to suggest specific changes that would help adapt the current rules to an ever changing world.

In Europe, it is clear that the review of the 1995 data protection directive will preside over all other privacy-related developments, although data security scandals will almost certainly make quite a few front pages. In all likelihood, the European Commission will take centre stage mulling over the submissions made by an unprecedented number of interested parties and deciding what legal mechanisms, principles and obligations best meet their two-fold policy goal – the defence of the fundamental right to data protection and the flow of personal data within the EU.

However, 2011 will not just be about policy making. In fact, it will not take very long before privacy regulators all over the world start using their brand new (or nearly new) powers – the UK and Poland being prime candidates for flexing their muscles early in the new year. Early indications also show that regulators in Europe and beyond will continue to target Internet companies and turn their attention to issues like analytics technology, apps and contacts importers. How they will deal with behavioural targeting is anyone’s guess but it is also clear from the work of the FTC that Europe will not be the only privacy battleground for providers of targeted advertising.

The 25 May deadline for the implementation of the revised e-privacy directive in the EU – which includes data breach notification and cookie consent rules – is unlikely to be met by most European countries. On the cookie front, the truth is that the uncertainty surrounding what qualifies as consent across EU Member States will continue throughout the year. However, that deadline may pass almost unnoticed as at about the same time, the European Commission will publish its concrete proposals for a new data protection regime in the EU, which is likely to become a key focus of attention for international privacy professionals.

Not to be outdone, the US Congress may also surprise us all with proposals for comprehensive data privacy legislation or at least a revamp of the Electronic Communications Privacy Act. However, not even the most ambitious US privacy activists would dream of seeing in their homeland the kind of overwhelmingly pro-individual provisions and measures that we will see being suggested in Europe. New rights like data portability and the right to be forgotten coupled with more comprehensive accountability-driven obligations and even stronger consent requirements will almost certainly give the new European framework a markedly protectionist flavour. Not everything will be geared towards greater rights. Expect some pragmatic thinking in terms of a reduction in administrative obligations and increasing recognition for BCR and Binding Safe Processor Rules, but overall, the emphasis will be on reinstating the balance in favour of the individual.

So what does this mean for data protection officers and privacy professionals? Should we be paying attention to legislative developments or to regulatory action? Should we be devising procedures to honour individuals’ new rights or carrying out privacy impact assessments? Should we lobby policy makers or cooperate with privacy regulators worldwide? Should we follow the legal developments in every jurisdiction or aim for a consistent global compliance programme? All of these questions have a logical answer – both. Prioritising will be key but tackling privacy and information management in 2011 will also require awareness, creativity, determination and a lot of time.